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SPECIFICATIONS 

TITLE OF THE INVENTION 

CIPHER STRENGTH ESTIMATING DEVICE 

Technical Field 

The present invention relates to a cipher strength estimating device. 

BACKGROUND OF THE INVENTION AND RELATED ART STATEMENT 

Common-key cryptography using a common key in encryption and decryption 
includes block ciphers based on an encryption system which divides, for example, data into 
blocks and encrypts the data on a block basis. Such block ciphers include those produced by 
stepwise encryption of a plaintext with repeated transformation using, as a parameter, a 
session key calculated from a common key such as DES or MISTY. 

A cipher is estimated by actually making attempts to decipher the cipher in order to 
prove that the cipher can be utilized safely in a society. Known examples of such 
cryptanalysis include: the brute-force search method which is capable of finding a key by 
using all putative keys in conducting encryption or decryption if a pair of plaintext and 
ciphertext is given; the differential cryptanalysis which is adapted to find a session key to be 
used at the final roimd of transformation on condition that there is a high probability that a 
relationship holds between the exclusive-OR between the plaintexts of two pairs of plaintext 
and ciphertext and the exclusive-OR between the ciphertexts of the two pairs; and the higher 
order differential cryptanalysis adapted to find a session key by an algebraic method such that 
a ciphertext outputted at the final round of transformation is expressed using a Boolean 
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polynomial of the corresponding plaintext and a higher order differential of this polynomial is 
considered to be a constant to be used as a condition for presimiing the session key. 

However, since any one of such methods is presently employed to find one key, these 
methods will not contribute to a reduction in the amoimt of calculation required to find 
session keys for plural rounds for the purpose of estimating a cipher more precisely if they 
are employed in each of the rounds simply. 
List of Non-Patent Literature Documents (References) 

Document 1: Babbage,Frisch,"On MISTYl Higher Order Differential Cryptanalysis",3''^ 
Intemational Conference on Information Security and Cryptology 2000 
Document 2: 

Intemational Workshop LNCS.1636 

Document 3: Jakobsen,Knudsen,"The Interpolation Attack on Block Cipher",FSE-4* 
Intemational Workshop,LNCS.1372 

Document 4: Knudsen,"Trancated and Higher Order Diferentials",FSB-2"^ Intemational 
Workshop,LNCS . 1 008 

Document 5: Lai,"Higher Order Derivatives and Differential Cryptanalysis",Communications 
and Cryptography 

Document 6: Matsui,"NewStmcture of Block Ciphers with Provable Security against 
Differential and Linear cryptanalysis",FSE-3''^ Intemational Workshop,LNCS.1039 
Document 7: Moriai,Shimoyama,Kaneko,"Higher Order Attack of a CAST Cipher", FES-4* 
Intemational Workshop,LNCS,1372 

Document 8: Nyberg,Knudsen,'Trovable Security against Differential Cryptanalysis",Jounal 
of Cryptology, Vol.8-no.l 

Docimient 9: Shimoyama,Moriai,Kaneko,"Improving the Higher Order Differential Attack 
and Cryptanalysis of the KN Cipher", 1997 Information Security Workshop,LNCS.1396 
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Document 10: Tanaka,Hisaniatsu,Kaneko/'Strength of MISTY 1 without FL function for 
Higher Order Differential Attack", 13* International Symposium, Apphed Algebra- Algebraic 
Algorithms and Error-Correcting Codes 1999,LNCS.1719 

SUMMARY OF THE INVENTION 

Accordingly, it is an object of the present invention to reduce the amount of 
calculation and the like required to collectively find session keys for plural rounds. 

That is, the present invention provides a cipher strength estimating device for 
estimating a strength of a ciphertext which is a transformed text obtained at a final roimd of a 
transformation process including: receiving a plaintext; transforming the plaintext using, as a 
parameter, a session key calculated fi-om a key for use in encryption; and repeatedly further 
transforming the resulting transformed text which is the plaintext thus transformed to perfomi 
stepwise encryption, 

the cipher strength estimating device comprising an imtransformed text calculating 
unit and a control unit, the untransformed text calculating imit comprising a session key 
prospect calculating section and an untransformed text calculating imit body, wherein: 

the untransformed text calculating unit is operative to receive, as inputs thereto, the 
plaintext and one of the ciphertext obtained at the final roimd of the transformation process 
and a putative transformed text presumed to be a transformed text obtained at a certain 
intermediate round; 

the session key prospect calculating section is operative to: calculate one session key 
prospect presumed to be equivalent to the session key to be used at a relevant round of 
transformation by using the plaintext and one of the ciphertext and the putative transformed 
text or output uncalculability identifier data indicative of inability to calculate when the 
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calculation is impossible; and optionally calculate another session key prospect for the 
relevant round which is different from the session key prospect already outputted in response 
to receipt of recalculation request data requesting recalculation; 

the untransformed text calculating unit body is operative to: calculate a putative 
untransformed text presimied to be equivalent to an untransformed text which is not 
transformed yet at the relevant round based on the session key prospect and one of the 
ciphertext and the putative transformed text; and output the putative untransformed text as an 
output of the untransformed text calculating unit; and 

the control unit is operative to: input the plaintext and one of the ciphertext obtained 
at the final round of the transformation process and the putative transformed text obtained at 
the certain intermediate round, which make a pair, to the untransformed text calculating imit; 
receive the putative untransformed text outputted; and repeatedly further input the putative 
untransformed text as a putative transformed text for a round immediately preceding the 
relevant round to the untransformed text calculating unit together with the plaintext; and 
optionally output the recalculation request data to the session key prospect calculating section 
in response to receipt of the uncalculability identifier data outputted from the session key 
prospect calculating section to cause the session key prospect calculating section to again 
calculate said another session key prospect for the immediately preceding roimd and then 
output the putative untransformed text based on said another session key prospect. 

This cipher strength estimating device, which is configured to calculate plural 
prospects in advance and reduce the number of such prospects in the process of calculating a 
key for the inmiediately preceding round, is more effective in reducing the amoimt of 
calculation and the like than the approach to find keys for respective roimds separately. 
Further, the feature that a session key for the immediately preceding roimd is foimd on the 
assumption that a certain session key prospect is the session key, is capable of finding out 
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plural session keys at an earlier stage than by the approach to complete calculations of all 
session key prospects for each round before calculating the session key prospect for the 
immediately preceding round. 

The present invention also provides, as an example having a similar effect, a cipher 
strength estimating device for estimating a strength of a ciphertext which is a transformed 
text obtained at a final round of a transformation process including: receiving a plaintext; 
transforming the plaintext using, as a parameter, a session key calculated from a key for use 
in encryption; and repeatedly further transforming the resulting transformed text which is the 
plaintext thus transforaied to perform stepwise encryption, 

the cipher strength estimating device comprising an untransfomied text calculating 
imit and a control unit, the untransformed text calculating unit comprising a session key 
prospect calculating section and an untransformed text calculating unit body, wherein: 

the untransformed text calculating unit is operative to receive, as inputs thereto, the 
plaintext and one of the ciphertext obtained at the final round of the transformation process 
and a putative transformed text presumed to be a transformed text obtained at a certain 
intermediate round; 

the session key prospect calculating section is operative: to dynamically create a 
condition for use in calculating a session key prospect presumed to be equivalent to the 
session key to be used at a relevant round of transformation by using the plaintext and one of 
the ciphertext and the putative transformed text; and calculate one session key prospect based 
on the condition thus created or output imcalculability identifier data indicative of inability to 
calculate when the calculation is impossible; and optionally calculate another session key 
prospect for the relevant round which is different from the session key prospect already 
outputted in response to receipt of recalculation request data requesting recalculation; 
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the untransformed text calculating unit body is operative to: calculate a putative 
untransformed text presumed to be equivalent to an untransformed text which is not 
transformed yet at the relevant round based on the session key prospect and one of the 
ciphertext and the putative transformed text; and output the putative untransformed text as an 
output of the untransformed text calculating imit; and 

the control imit is operative to: input the plaintext and one of the ciphertext obtained 
at the final roimd of the transformation process and the putative transformed text obtained at 
the certain intermediate round, which make a pair, to the untransformed text calculating unit; 
receive the putative untransformed text outputted; repeatedly further input the putative 
untransformed text as a putative transformed text for a round immediately preceding the 
relevant round to the untransformed text calculating xmit together with the plaintext; and 
optionally output the recalculation request data to the session key prospect calculating section 
in response to receipt of the xmcalculability identifier data outputted from the session key 
prospect calculating section to cause the session key prospect calculating section to again 
calculate said another session key prospect for the immediately preceding round and then 
output the putative untransformed text based on said another session key prospect. 

In finding out a session key prospect for a round immediately preceding a certain 
round for one session key prospect presumed to be equivalent to a session key for the certain 
round, the device thus configured is capable of creating a condition for calculating an 
optimmn session key prospect for the preceding round based on the session key prospect for 
the certain round and the like and hence can reduce the amount of calculation and the like. 

The cipher strength estimating device may be a cipher strength estimating 
device for estimating a strength of a ciphertext which is a transformed text obtained at a final 
round of a transformation process including: receiving a plaintext; transforming the plaintext 
using, as a parameter, a session key calculated from a key for use in encryption; and 
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repeatedly further transforming the resulting transformed text which is the plaintext thus 
transformed to perform stepwise encryption, 

the cipher strength estimating device comprising an untransformed text 
calculating unit and a control unit, the untransformed text calculating imit comprising a 
session key prospect calculating section and an untransformed text calculating unit body, 
wherein: 

the untransformed text calculating unit is operative to receive, as inputs thereto, the 
plaintext and one of the ciphertext obtained at the final round of the transformation process 
and a putative transformed text presumed to be a transformed text obtained at a certain 
intermediate round; 

the session key prospect calculating section is operative to: dynamically create 
conditions for use in calculating a session key prospect presumed to be equivalent to the 
session key to be used at a relevant roimd of transformation by using the plaintext and one of 
the ciphertext and the putative transformed text; calculate the session key prospect based on 
the conditions thus created or identify inability to calculate when inconsistency is found 
between certain two of the conditions and then output uncalculability identifier data 
indicative of inability to calculate; and optionally calculate another session key prospect for 
the relevant round which is different from the session key prospect already outputted in 
response to receipt of recalculation request data requesting recalculation; 

the untransformed text calculating unit body is operative to calculate the putative 
untransformed text presumed to be equivalent to an imtransformed text which is not 
transformed yet at the relevant round based on the session key prospect and one of the 
ciphertext and the putative transformed text; and output the putative untransformed text as an 
output of the imtransformed text calculating unit; and 
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the control unit is operative to: input the plaintext and one of the ciphertext obtained 
at the final round of the transformation process and the putative transformed text obtained at 
the certain intermediate round, which make a pair, to the untransformed text calculating unit; 
receive the putative imtransformed text outputted; repeatedly further input the putative 
untransformed text as a putative transformed text for a round immediately preceding the 
relevant round to the untransformed text calculating unit together with the plaintext; and 
optionally output the recalculation request data to the session key prospect calculating section 
in response to receipt of the uncalculability identifier data outputted firom the session key 
prospect calculating section to cause the session key prospect calculating section to again 
calculate said ctnother session key prospect for the immediately preceding round and then 
output the putative untransformed text based on said another session key prospect. 

The device thus configured is capable of judging a session key prospect for a certain 
rovmd to be false without the need to actually calculate a session key for the immediately 
preceding roxmd by adding, for example, a redxmdant condition or the like to the condition for 
use in the calculation of the session key prospect for the certain round to create plural 
conditions and judging whether these conditions have an inconsistency therebetween such 
that, for example, there is not a single session key that satisfies the conditions. 

The cipher strength estimating device may have a configuration for estimating a 
strength of a ciphertext which is a transformed text obtained at a final round of a 
transformation process including: receiving a plaintext; transforming the plaintext using, as a 
parameter, a session key calculated fi-om a key for use in encryption; and repeatedly fiirther 
transforming the resulting transformed text which is the plaintext thus transformed to perform 
stepwise encryption, 

the cipher strength estimating device comprising a first untransformed text 
calculating unit, a second untransformed text calculating imit, and a control imit, the first 
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untransformed text calculating unit comprising an untransformed text calculating unit body 
and a first session key prospect calculating section, the second untransformed text calculating 
unit comprising a second session key prospect calculating section, wherein: 

the first untransformed text calculating unit is operative to receive, as inputs thereto, 
the plaintext and one of the ciphertext obtained at the final round of the transformation 
process and a putative transformed text presumed to be a transformed text obtained at a 
certain intermediate round; 

the second untransformed text calculating imit is operative to receive, as inputs 
thereto, the plaintext and one of the ciphertext obtained at the final round of the 
transformation process and a putative transformed text presumed to be a transformed text 
obtained at a certain intermediate round; 

the first session key prospect calculating section is operative to: conduct brute-force 
search for the session key to be used at a certain round of transformation by using the 
plaintext and one of the ciphertext and the putative transformed text; calculate one session 
key prospect presumed to be equivalent to the session key to be used at said certain round of 
transformation or output uncalculability identifier data indicative of inability to calculate 
when the calculation is impossible; and optionally calculate another session key prospect for 
said certain round which is different firom the session key prospect already outputted in 
response to receipt of recalculation request data requesting recalculation; 

the second session key prospect calculating section is operative to: dynamically create 
plural conditions for use in calculating a session key prospect presumed to be equivalent to 
the session key to be used at a relevant round of transformation by higher order differential 
cryptanalysis using the plaintext and one of the ciphertext and the putative transformed text; 
and calculate one session key prospect based on the conditions thus created or identify 
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inability to calculate when inconsistency is found between certain two of the conditions and 
then output uncalculability identifier data indicative of inability to calculate; 

the untransformed text calculating unit body is operative to calculate a putative 
untransformed text presumed to be equivalent to an untransformed text which is not 
transformed yet at the relevant roxmd based on the session key prospect and one of the 
ciphertext and the putative transformed text; and output the putative untransformed text as an 
output of the untransformed text calculating unit; and 

the control unit is operative to: input the plaintext and one of the ciphertext obtained 
at the final round of the transformation process and the putative transformed text obtained at 
the certain intermediate round, which make a pair, to the first untransformed text calculating 
imit; receive the putative imtransformed text outputted; input the putative untransformed text 
as a putative transformed text for a round immediately preceding the relevant round to the 
second untransformed text calculating unit together with the plaintext; and optionally output 
the recalculation request data to the first session key prospect calculating section in response 
to receipt of the uncalculability identifier data outputted from the second session key prospect 
calculating section to cause the first session key prospect calculating section to again 
calculate said another session key prospect for the immediately preceding round and then 
output the putative untransformed text based on said another session key prospect. 

This configuration uses two types of session key calculating units to dynamically 
create the conditions based on an algebraic method utilizing higher order differential 
cryptanalysis at a certain round and then judges a session key prospect for this round to be 
false based on the conditions without actually calculating the session key. Thus, even in 
finding out session keys for two or more rounds, the total amount of calculation can be 
reduced though the brute-force search imposing a high load is employed at the immediately 
succeeding roimd, as long as the cipher has a transforming block like MISTY 1 for example. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram illustrating functions related to claims 1 to 3 according to the 
present invention; 

Fig. 2 is a block diagram illustrating functions related to claim 4 according to the 
present invention; 

Fig. 3 is a block diagram illustrating the configuration of hardware in an embodiment 
of the present invention; 

Fig. 4 is a block diagram illustrating functions of a cipher strength estimating device 
according to the same embodiment; 

Fig. 5 is a diagram illustrating the function of MISTY 1; 

Fig. 6 is a diagram illustrating the function of modified MISTY 1; 

Fig. 7 is a diagram illustrating the function of a transforming block (FO function) of 
the modified MISTY 1 containing the result of formal analysis on an increase in degree; and 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Hereinafter, an embodiment of the present invention will be described. 

Fig. 2 is a block diagram illustrating the system configuration of a cipher strength 
estimating device according to this embodiment. The cipher strength estimating device is, for 
example, a general-purpose computer as shown and includes a CPU 101, intemal memory 
102, an external storage unit 103 such as HDD, a commvmication interface 104, such as a 
modem, for providing connection to a communication network, a display 105, input means 
106 such as a mouse or a keyboard, and the like, as shown in Fig. 3. 
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In this embodiment, by installing a predetemiined program in the cipher strength 
estimating device and causing the CPU 101 and the peripheral devices to cooperate with each 
other, the cipher strength estimating device functions as a plaintext and ciphertext calculating 
unit 3, control unit 1, first putative xmtransformed text calculating imit 21, second putative 
untransformed text calculating unit 22, untransformed text calculating unit body 20A, first 
session key prospect calculating section 2 IK, and second session key prospect cedculating 
section 22K, as shown in Fig. 4. 

As shown in Fig. 5, MISTY 1 is a block cipher which generates a 64-bit ciphertext 
from a 64-bit plaintext with use of a 128-bit user key and which comprises a transforming 
block called FO functions of 8-rounds, and linear FL fimctions. The transforming block 
includes FI fimctions as three intermediate transforming elements each including S-boxes as 
three transforming elements. This embodiment is configured to estimate the cipher strength 
of 6-round MISTY 1 (hereinafter referred to as "modified MISTY 1") shown in Fig. 6, the 
modified MISTY 1 not including the FL fimctions shown in Fig. 5. 

Detailed description will be made of each part of the cipher strength estimating 

device. 

The order of a Boolean polynomial obtained by higher order cryptanalysis depends on 
the plaintext chosen. Since the order of such a polynomial influences the nimiber of chosen 
plaintexts to be required and the amount of calculation to be required, it is important to 
choose effective plaintexts. 

The plaintext is divided into 8 sub-blocks according to S-boxes S7 and S9, which are 
components of the transforming block provided in the modified MISTY 1 . 




The degree of an output depends on which sub-block is selected as an input. 
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As a result of investigation on effective plaintexts, which make a slow increase in 
degree, a plaintext obtained by varying only the rightmost sub-block with the rest fixed was 
foxmd effective. Accordingly, the plaintext and ciphertext calculating imit 3 is configured to 
calculate a pair of plaintext and ciphertext satisfying such a condition. 

Fig. 7 illustrates an increase in degree by the formal analysis for such a plaintext. The 
symbol <i/j> denotes that the degree of the left block is i and the right block is j. 

The first putative untransformed text calculating unit 21 is configured to receive a 
plaintext and a ciphertext outputted firom the plaintext and ciphertext calculating unit and 
output a 5* roxmd putative untransformed text and is provided therein with the first session 
key prospect calculating section and the putative untransformed text calculating unit body. 

The first session key prospect calculating section is configured to conduct the brute- 
force search and find one 6^*^ round session key prospect by calculation. 

Further, the first putative untransformed text calculating unit 21 makes attempts to 
calculate another session key prospect for the relevant round which is different fi-om the 
session key prospect already outputted in response to receipt of recalculation request data 
requesting recalculation and then outputs the aforesaid another session key prospect if the 
calculation thereof has been achieved or outputs uncalculability identifier data indicative of 
inability to calculate if the calculation of another session key prospect becomes impossible 
after completion of calculation of all session key prospects. 

The putative imtransformed text calculating unit body outputs a 6* round 
untransformed text of MISTYl by using the aforesaid one session key prospect. This is 
achieved by following the same procedure as in decryption. 

The second putative imtransformed text calculating unit 22 is configured to receive 
the plaintext and ciphertext outputted firom the plaintext and cipher text calculating unit 3 and 
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checks the output of a 5^^ round session key prospect and is provided therein with the second 
session key prospect calculating section. 

The second session key prospect calculating section first creates plural Boolean 
polynomials for dynamically calculating a session key prospect based on a putative 
transformed key inputted thereto. 

Here, use is made of the following two properties that hold by the higher order 
differential cryptanalysis. 

Propertyl: 



{ 



Property2: Let F(X) : GF(2)'» GF(2)'». If 

V(*o, .««-,|=Gf(2)'», then for any Bxed value / € 

GF(2)'', A<'»>F(X + /; K) = A<''>F(X; K). 

The plaintext outputted from the plaintext and ciphertext calculating unit contains a 7- 
bit variable. For a cryptanalysis using 7* order dififerential to be employed, first, a sub-space 
V^'^ is determined as 

V*'* = Wi ai = (0.0....,l....,0» eGP(2)" 

t <-th bit (2) 

In the following, A^^\ao, ai, a6] is denoted as A^'^ when V^'^ is understood. 
Let be the left 7 bits of the output from FO3: 

From Property 1, the following holds. 

= A<'>iya,2]T. (4) 

where symbol "]d" denotes the operation of omitting terms whose degree is smaller than d. 
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Let F(.) be the function GF(2)'xGF(2)' i-> GF(2)' shown in Fig. 7: 
H312 - HXa ■\-Hi33 + Kzxt, Ytii ) . (5) 

Note that Y221 is a constant for the chosen plaintext. As Xo spans GF(2)^, from Property 1, 
the following holds. 

« A<'>^(Xo,n2.) (6) 

From equations (22) and (24) [sic], there is obtained the 7*^ order differential of H^^32: 

A<^> j/^^ = a<^>:p(Xo, y»i )i7. (7) 

As a result of calculation of the Boolean polynomial of H312, it was fovmd as follows: 
the degree of H312 is 7, the 7^*^ order differential of H^^32 is 0x6D, and the coefficients of 
terms whose degree is 6, are functions of elements in Y221. 
X222 = (x6, - - ^ , a:o)> (X22!3t = Ao + ifiaa + K222) 

The following condition is generated from A^^^^^32=0x6D. 

+Ch(p+a) + k:k} 

= Qx6D 

IC = (X:l, Kr), Kl./Cr^ GF(2)« (8) 

The key k can be moved by transforming the key in the modified MISTY 1. Since kL is 
divided into kli and ku (^ GF(2)16) in F05 function, the following holds in FI51. 

/C512 ^ A512 + fcfi 

In FI52, the following hold. 
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Thus, the condition (8) can be rewritten as follows. 

{FO{CUP + A)l /C522, /C62J t/C5l2, /C511) 

= 0x6D (11) 

The condition (11) thus obtained is turned into plural linear conditions by an algebraic 
method (see Uterature documents 7 and 9). The second session key prospect calculating 
section 22K uses these linear conditions in calculating a session key prospect. 

If the plural conditions for calculating a session key prospect include conditions that 
are inconsistent with each other, the second session key prospect calculating section 22K 
outputs uncalculability identifier data indicative of inability to calculate the session key 
prospect. 

Since this embodiment is configured for evaluation by finding session keys for the 6* 
round and the 5*^ round, respectively, the conditions created by the second session key 
prospect calculating section 22K for the calculation of a session key prospect are imparted 
with sufficient redundancy to make the resulting session key prospect true. 

The control imit inputs the plaintext and the ciphertext obtained at the final round of 
the transformation process, which make a pair, to the first untransformed text calculating xmit, 
receives a 6**^ round putative untransformed text outputted and fiirther inputs the putative 
vmtransformed text as a putative imtransformed text for the 5^^ round to the second 
imtransformed text calculating unit together with the plaintext. Altematively, in response to 
receipt of the xmcalculability identifier data outputted fi*om the second session key prospect 
calculating section, the control unit outputs the recalculation request data to the first session 
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key prospect calculating section to cause the first session key prospect calculating section to 
calculate another 6^** round session key prospect and outputs a putative untransformed text for 
the 5* round based on said another session key prospect. 

The procedure for estimating a cipher outputted by the modified MISTY 1 with use of 
the cipher strength estimating device thus configured is as follows, 

Li the plaintext and ciphertext calculating unit 3 there is established beforehand a 
condition for choosing a pair of plaintext and ciphertext which is suitable in applying the 
higher order differential cryptanalysis to the modified MISTY to be subjected to evaluation. 

The plaintext and cipher text calculating unit 3 generates and outputs a pair of 
plaintext and ciphertext which satisfies the condition established. 

The control imit 1 inputs the plaintext and ciphertext outputted from the plaintext and 
cipher text calculating unit 3 to the first untransformed text calculating unit 21. 

The first untransformed text calculating unit 21 receives the plaintext and 
ciphertext inputted, and the first session key prospect calculating section 21 K included in the 
first untransformed text calculating unit 21 calculates one of session key prospects which are 
prospects of the 6^^ round session key serving as an encryption parameter by utilizing the 
brute-force search method. 

The imtransformed text calculating unit body 20A included in the first 
untransformed text calculating unit 21 calculates a putative untransformed text presumed to 
be equivalent to a 6* round output which is not transformed yet at the 6* round, or the final 
roimd of transformation in the modified MISTYl by decrypting the ciphertext using the 
session key prospect calculated by the first session key prospect calculating section 2 IK, and 
then outputs the putative untransformed text thus calculated as an output of the first 
untransformed text calculating unit 21. 
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Then, the control unit 1 receives the 6^^ round putative untransformed text 
outputted and then inputs the putative untransformed text as a putative transformed text for 
the 5^ round to the second untransformed text calculating unit 22 together with the plaintext. 

The second untransformed text calculating unit 22 receives the plaintext and the 5^*^ 
roimd putative transformed text, and the second session key prospect calculating section 22K 
included in the second untransformed text calculating unit 22 creates conditions for 
calculation of a 5*** round session key prospect dynamically by the use of the 5*^ round 
putative transformed text and then performs calculation by an algebraic method or outputs the 
imcalculability identifier data if the conditions thus created include conditions that are 
inconsistent with each other. 

The control xmit 1 outputs the recalculation request data to the first session key 
prospect calculating section 2 IK in response to receipt of the uncalculability identifier data 
outputted. 

The first session key prospect calculating section 2 IK receives the recalculation 
request data outputted, calculates another 6'^ round session key prospect, and outputs a 6^*^ 
round putative imtransformed text based on the 6^*^ round session key prospect newly 
calculated. 

In this way calculation of 6*^ round session key prospect is repeated until the session 
key prospect for the 5^^ round is obtained. Since the 5* round session key prospect finally 
obtained can be considered to be equivalent to the aimed session key in terms of probability, 
the amount of calculation and the number of pairs of plaintext and ciphertext, which have 
been required to find the aimed session key, are displayed in the display as indicators for 
estimating the strength of the cipher. 

It should be noted that the present invention is not limited to the foregoing 
embodiment. 

\ 
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The subject for evaluation is not limited to ciphers utilizing the modified MISTY 1 or 
the transforming block of the MISTYl . 

To find session keys for more roxmds, the device of the present invention may further 
comprise additional transformed text calculating units or may use the existing transformed 
text calculating unit repeatedly. 

It is, of covu-se, possible to employ such a cryptanalysis as differential cryptanalysis or 
linear cryptanalysis instead of the brute-force search method or the higher order differential 
cryptanalysis in calculating session key prospects. 

If the device is configured to allow an estimator to input, for example, a plaintext or a 
ciphertext to the plaintext and ciphertext calculating unit through input means such as a 
keyboard for the calculation of the plaintext and ciphertext, it is convenient for the estimator 
to find conditions to be satisfied by a pair of plaintext and ciphertext suited for estimation by 
trial and error. Alternatively, if the device is configured to receive a plaintext or a ciphertext 
as an input fi-om a network or another program, parallel estimation of ciphers can be 
implemented by the use of a distributed processing control program which assigns and inputs 
plaintexts and ciphertexts to be newly estimated for example to individual cipher strength 
estimating devices. 

If a putative untransformed text outputted fi-om a certain putative imtransformed text 
calculating unit of the cipher strength estimating device of the present invention is used as an 
input to a different cipher strength estimating device, or if a putative untransformed text 
outputted fi-om a different cipher strength estimating device is used as an input to a certain 
putative imtransformed text calculating unit of the cipher strength estimating device of the 
present invention, the present invention becomes applicable to the estimation of a cipher firom 
a different cipher strength estimating device. 



43521 .0700\COUSINCVIRWJ491 57 



19 



Patent 
43521-0700 

As described above, the use of the cipher strength estimating device made it possible 
to prove that the modified MISTYl can be decrypted by the use of 7^^ order differential. 

The cipher strength estimating device of the present invention uses brute- force search 
for the 6^*^ round sub-keys and the algebraic cryptanalysis for part of the 5* round sub-keys, 
which requires 2^^ chosen plaintexts and 2^^^ times the number of FO function operations. By 
virtue of the effect of reducing the amount of calculation, the cipher strength estimating 
device is estimated to be about 2^^ times faster than the approach using brute-force search for 
a 128-bit user key. Therefore, the cipher strength estimating device has proved that at least 7- 
rounds is necessary for a cipher using MISTYl as cryptography to resist higher order 
differential cryptanalysis. 
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